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Study  Context 


•  Challenging  Context 

-  A  very  complex  reality...  with  many  biased  perspectives 

-  Changing  very  rapidly 

-  Huge  diversity  in  the  target  audience 
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RD7  Summary  Report  on  FOSS 


Synthesis  —  High-level  vision 

-  Systematically  referring  to  credible,  up-to-date,  rigorous  reports 

3 -Cycle  validation  process 

•  Cycle  1  -  DRDC  Vale  artier 

•  Cycle  2  -  DRDC  Corporate  HQ 

•  Cycle  3  -  DND/CF  and  OGD 


DRDC:  Defence  R&D  Canada 

DND/CF :  Department  of  National  Defence  /  Canadian  Forces 
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OGD:  Other  Government  Departments 


DRDC-  Advisory  Team  on  FOSS 


Robert  Charpentier,  Richard  Carbone,  Paul- Andre  Cote, 

David  Demers,  Martin  Salois,  Lt  Stephane  Fortin, 

Dr  Denis  Poussart  (U.  Laval),  Max  Blanchet  (CGI),  Bertrand  Couture  (DMR) 
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Archive  &  Report  Status 


Archive  : 

~  287  technical  reports  evaluated 
Reports  : 

-124  references  used  in  the  report 

-  17  topics  discussed  (-59  main  statements) 

-  394  selected  FOSS  introduced 
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Software 


Free 

(Gratis  Libre) 


Proprietary 

(Cost  ->  Restricted) 


Corporate 

Development 

Ex.  Eclipse 


Collaborative 

Development 


Mature 


Ex.  Apache 


Risk 


In-development 
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FOSS  Evolution 


•  Approximately  1 15,000  projects  registered 

-  more  than  half  of  them  are  inactive  (or  duplicates) 

-  115-150  software  applications  on  the  secure/mature  lists 


Collaborative  development  evolved  in  a  very  efficient  process 

-  Well-structured 

-  Systematic  code  review  and  testing 

-  Very  fast  bug  fixing 
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FOSS  Benefits 


Mature  FOSS  repeatedly  suggested  many  benefits 

-  Huge  diversity  of  software 

-  High  flexibility  and  scalability  through  code  editing 

-  High  reliability  and  security  through  code  review 

-  One-order  of  magnitude  faster  release  rate  than  COTS  products 

-  Rapid  “customizing”  through  code  reuse 

-  High  degree  of  compliance  with  open  standards 

-  Lifetime  extension  of  FOSS-based  systems  without  lock-in 
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COTS:  Commercial-Off-The- Shelf 


Current  Concerns 


•  Version  control  may  be  more  complex  (evolving) 

•  System  maintainability  requires  more  local  resources 

•  Higher  technical  skill  needed  from  system  administrators 

•  May  offer  less  integration  between  applications  and  less  user- 
friendliness  (evolving) 
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FOSS  around  the  World 

• 

European  Union  is  actively  adopting  FOSS 

-  United  Kingdom  -policy  and  partial  migration  plan 

-  Germany,  France  &  Sweden  -policy  and  migration  up  to  desktop 

-  24  countries  reviewing  policies  (as  of  June  2003) 

• 

Latin  American,  African,  Oceanian  and  Asian  countries  are  also  moving 
toward  FOSS  in  varying  degrees 

• 

Main  motivations: 

-  Direct  cost  savings 

-  Less  economic  losses  at  the  national  level  compared  with  COTS  imports 

-  Improve  national  IT  expertise  in  software 
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IT:  Information  Technology 


FOSS  in  the  USA 


•  FOSS  originated  largely  in  the  USA  and  is  still  strong 


•  Many  large  American  corporations  contribute  to  FOSS 

-  IBM,  Hewlett-Packard,  Sun  Microsystems,  Silicon  Graphics  etc 

•  Some  US  government  initiatives  contribute  to  FOSS 

-  NS  A  offered  SE  Linux  (Security  Enhanced  Linux) 


-  NTA  sponsored  an  impressive  Geomatics  project  ( OSPR) 

-  NASA  used  collaborative  FOSS  development  for  Mars  exploration 


Adopting  a  strong  FOSS  policy  could  be  problematic  for  the  US 
Government  since  the  software  industry  strongly  supports  the  US 
economy 


NS  A  =  National  Security  Agency 
NTA  =  National  Technology  Alliance 
OSPR  =  Open  Source  Prototype  Research  =  Geomatics 
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FOSS  in  Canada 


Canada  appeared  to  be  behind  the  curve  in  FOSS  adoption 


Some  comprehensive  initiatives  can  be  found  in  the  education  and 
health  sectors 


GoC  position  on  FOSS  adopted  on  17th  May  2004 
No  barriers  to  procurement 

Ensuring  that  GoC  staff  are  aware  of  the  options  available 
Collaboration  between  departments  is  encouraged 


GoC:  Government  of  Canada 
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FOSS  and  Software  Security 


Access  to  source  code  greatly  eases  security  enforcement 
Other  key  advantages  include: 

•  «  Leaner  and  meaner  »  software  systems 

•  Possible  source  code  enrichment 

•  Increased  code  diversity  in  software  ecosystem 
Increased  risks  to  manage: 

Internal  expertise  to  develop  and  maintain 

Lack  of  imputability  when  software  is  developed  via  internet 
collaboration 
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Authors’  Synthesis 


•  FOSS  should  not  be  considered  as  a  panacea  — 

but  appears  to  be  a  credible  and  productive  approach 

•  Cost-effective  in  many  instances 

•  Offering  a  good  maturity,  flexibility,  high  productivity 
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Guiding  Principles  for  a  Way- Ahead 


•  FOSS  represents  a  real  and  credible  opportunity  for  GoC 


•  Diversity  in  supplies  is  preferable 


(Custom  Software,  COTS  and  FOSS) 


Open  Standards  and  specifications  lead  to  system  interoperability 


Evaluation  of  FOSS  must  be  done  on  a  case-by-case  basis 
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FOSS:  Free  and  Open  Source  Software 


Proposed  Way-Ahead  for  GoC 


•  Promote  progressive  FOSS  adoption  in  GoC 

-  Inform  project  leaders  of  potential  FOSS  benefits 

-  Provide  navigation  aids  to  help  identify  suitable  FOSS 

-  Provide  guidelines  to  assess  FOSS  in  context 

-  Train  personnel  to  interpret  licenses  and  estimate  cost 


Consider  FOSS-based  solutions  in  some  RFP  and 
Choose  «  best  value  on  the  market »  with  technology  neutrality 


http.V/publiservice.  cio-dpi.gc.  ca/fap-paf/oss-ll/foss-llo/foss-lloOO_e.  asp 


RFP:  Request  for  proposal 
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Recommended  Evaluation  Steps 


Define  the  application  context 
Identify  candidates  (FOSS  and  COTS) 

Compare  side-by-side  the  3-4  best  options 
Perform  an  in-depth  code  analysis  if  needed 
Seek  approval  from  local  management  and  client 
Document  the  lessons  learned 

-  An  evaluation  spreadsheet  is  proposed 

-  A  simple  cost  model  is  offered 

-  http://publiservice.cio-dpi.gc.ca/fap-paf/oss-ll/foss-llo/foss-lloOO_e.asp 
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Ingredients  for  Success 


•  A  good  working  product 

•  Led  by  commited  leaders 

•  Providing  a  general  community  service 

•  Supported  by  developers  who  are  also  its  users 
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Part  #4  -  Catalogue  of  Selected  FOSS 
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High-Quality  FOSS  Lists 


•  GRAS:  Generally  Recognized  As  Secure  (l 1 5  FOSS  -  mitre  / DoD) 


•  GRAM:  Generally  Recognized  As  Mature  (39  FOSS  -  Wheeler) 

•  IDA:  Interchange  Data  Administrations  (multiple  FOSS  -  EU) 


DRDC:  Includes  scientific  FOSS  (±394  FOSS-DRDC) 
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Summary 


•  Importance  of  FOSS  will  be  increasing 

for  most  Government  departments  including  DND/CF 

•  Pratical  guidelines  proposed 

for  comparing  FOSS  and  COTS  software  in  project  context 

•  Numerous  navigation  aids  included  in  the  report 

•  French  version  available 
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Next  Steps 


•  Quality  and  Security  assessment  of  FOSS 

-  Tools  and  methodologies  to  verify  &  validate  C  and  C+  +  software 

-  Report  for  GoC  project  leaders  and  security  architects 

-  Tools  and  methodologies  to  verify  &  validate  Java  software 

-  Report  for  GoC  project  leaders  and  security  architects 


FOSS  licenses  and  other  legal  issues 

-  Practical  information  needed  to  support  FOSS  adoption  in  GoC 

Cost  estimation 

-  Practical  information  needed  to  support  FOSS  adoption  in  GoC 
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|  )  j  Issues  Requiring  Some  Attention  by  the  GoC 


Expertise  for  system  development  and  maintenance 

i.e.  more  reliance  on  internal  resources  -  often  scarce 

Lack  of  imputability 

when  software  is  developed  via  internet  collaboration 

Fragmentation  of  our  computer  base 

compatibility  with  existing  systems  and  databases  to  maintain 

Duplication  of  certification  efforts 

centralized  software  certification  and  GoC  pre-qualified  list  of  FOSS 
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Issues  Requiring  Some  Attention  by  the  CF 


•  Good  technology  in  some  cases;  criteria  to  clarify 

•  Maintain  interoperability  with  our  allies  moving  to  FOSS 

•  List  of  trusted  sources  in  preparation 


Assess  threat  of  FOSS  having  offensive  capabilities 
•  List  of  offensive  FOSS  being  built 
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For  comments  : 


FOSS@drdc-rddc.gc.ca 

http://www.cio-dpi.gc.ca/fap-paf/oss-ll/oss-ll  e.asp 


